A big security flaw in VW automobiles has leaked through the company’s massive efforts to keep it under wraps, affecting brands Fiat, Audi, Ferrari, and others. The company joins Chrysler, GM, Mercedes and BMW in a long list of cars susceptible to hacker attacks.
The nature of the flaw is known as “keyless” car theft, wherein a criminal is able to exploit weaknesses in the electronic locking mechanisms and engine immobilizers. Keyless car theft accounts for 42% of vehicle theft in London, and the security flaw has been known of since 2012. Rather than address the costly problem, the German carmaker chose to sue the researchers in order to prevent the publishing of their results.
Normally a car will not start unless it receives an RFID signal from the owner’s key, but this system is easily compromised using scanning devices that can then mimic the signal. Security analyst Andrew Tierney commented on the phenomenon, “The attack is quite advanced, but VW produces a lot of very high-end vehicles that get stolen to order. The criminals involved are more sophisticated than the sorts who just steal your keys and drive off with your car.”
The only fix available is a costly total replacement of the RFID keys and the corresponding transponders in cars. Such a fix applied to all VW models could cost the company a whopping $1 billion. Researchers Roel Verdult and Baris Ege first took their findings to the key manufacturer in 2012, followed by VW in 2013, at which point the lawsuit was filed by VW to prevent publication of the findings.
Following a period of negotiation, the findings were published save for a redaction containing the description of the flaw. One point to keep in mind is that Verdult and Ege’s research concerned the keyless system made by Megamos, but other automakers use systems that may be just as vulnerable.
Until the issue is resolved, security experts recommend investing in additional measures such as steering locks and OBD locks. An on-board diagnostics (ODB) lock physically blocks the access port that mechanics normally use to communicate with the car’s computer. Thieves are able to program their own keys to the car if they can gain access to the ODB port.
Like the efforts of VW in fighting the publication of the security flaw, the response by authorities to combat the problem looks just as troubling. Efforts in London are underway to pass legislation banning the sale of the devices used in the keyless thefts, but lawmakers are forgetting that criminals don’t follow the law.